UFW or Uncomplicated Firewall, is a tool designed to allow administrators to easily manage the native Debian firewall. Instead of using complicated commands to edit the iptables directly, you can manage the firewall rules very easily using UFW. First install UFW:
apt-get install ufw
5.1. Set the default firewall rules
In general, a server only needs a small number of ports open for incoming connections, while all the other ports should remain closed. The ufw default command can be used to set the default response to incoming and outgoing connections. To deny all incoming and allow all outgoing connections, run:
ufw default allow outgoing
ufw default deny incoming
The ufw default command also allows the use of the reject parameter. Please note that the deny and allow rules have no effect until you enable ufw, so, make sure that you set the proper allow rules for SSH and for other critical services as we describe below, before enabling ufw with the default allow/deny rules from above. Otherwise, you may lock yourself out of your server.
5.2. Add firewall rules
Rules can be added in two ways: by specifying the port number or by specifying the service name.
For example, to allow both incoming and outgoing connections on port 80 for HTTP, you can run:
ufw allow 80
ufw allow http
5.3. Remove firewall rules
To remove a rule, use the delete command, like this:
ufw delete allow 80
The delete command also allows the use of service names (http, ssh, etc.).
5.4. Allow connections for the custom SSH port
Remember that in the
/etc/ssh/sshd_config file, you changed the default SSH port, which is
22, to a custom port,
6283 in our example. This is very important for security reasons but it’s equally important to remember to allow SSH connections on this custom SSH port, otherwise you will lock yourself out of your sever when enabling UFW. To open port
6283 in the firewall run:
ufw allow 6283
6283 with your custom SSH port. This implies that you won’t open port
22, which is the main target of attackers.
5.5. Add various firewall rules
You can add a rule to deny traffic on a certain port like this:
ufw deny 111
If you do this, when you run the
ufw status command to list all the rules implemented by UFW, port
111 will be preceded by
DENY, like this:
To Action From -- ------ ---- 111 DENY Anywhere
You can fine-tune your rules, by allowing data packets based on the TCP or UDP protocols. Both commands from below will do the same thing: allow TCP packets on port 80:
ufw allow 80/tcp
ufw allow http/tcp
The following command will allow UDP packets on port
ufw allow 2536/udp
5.6. Advanced rules
Using UFW you can allow or deny connections based on ports, but also based on specific IP addresses, subnets, or a combinations of IP addresses, subnets and ports.
To allow connections from the IP
ufw allow from 126.96.36.199
To allow connections from the
188.8.131.52/24 subnet run:
ufw allow from 184.108.40.206/24
To allow a specific IP address-port-protocol combination:
ufw allow from 220.127.116.11 to any port 4234 proto tcp
proto tcp can be removed or replaced with
proto udp depending on your requirements, and all instances of
allow can be changed to
To open a range of ports run:
ufw allow 12200:12299/tcp
In the case of port ranges, the protocol part (
/udp) is mandatory.
5.7. Edit UFW Configuration Files
Before running the rules added using the command line, UFW runs the rules listed in the
/etc/ufw/before.rules file, which can be complex rules associated with loopback, pings or DHCP. To add rules to be run before the rules entered in command line, edit the
/etc/ufw/before.rules file. A
before6.rules file is also located in the same directory for IPv6.
after.rule and an
after6.rule file also exist to add any rules that need to be run after running the rules that you added in command line.
Another important configuration file is the
/etc/default/ufw file. In this file, you can enable or disable IPv6 support and configure different default settings.
5.8. Enable UFW
After you have set all your rules, if you run:
you will see:
To enable UFW and apply all the firewall rules that you have set up, run:
Similarly, to disable UFW’s rules, run:
This will still leave the UFW service running and enabled on reboots.
5.9. Reset UFW Rules
If you have set up some UFW rules but you decide that you want to start again, you can use the reset command to disable UFW and delete all the rules added previously:
This will enable you to remove all your changes and start fresh.
5.10. UFW Status
You can check the status of UFW at any moment by running:
This will show whether or not UFW is active and will list all the rules added using the command line:
Status: active To Action From -- ------ ---- 6283 ALLOW Anywhere 80 ALLOW Anywhere 443 ALLOW Anywhere 6283 (v6) ALLOW Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)
You can list all the rules as a numbered list by running:
ufw status numbered To Action From -- ------ ---- [ 1] 2581 ALLOW IN Anywhere [ 2] 6258 ALLOW IN Anywhere [ 3] 6814 ALLOW IN Anywhere [ 4] 6815 ALLOW IN Anywhere [ 5] 443 ALLOW IN Anywhere
The big advantage when listing the rules in a numbered list is that you can delete any rule by specifying its number, like this:
ufw delete 2
ufw delete 5
After you install all the applications described in this guide, your UFW rules should look like below. (Please note that the ports in red will be custom ports, so, you shouldn’t use the ones shown below. You should replace them with your own custom ports, as we’ll explain for each application when describing how to install it. Don’t open all these ports yet. We’ll explain when to open each of them further down below.)
ufw status numbered Status: active To Action From -- ------ ---- [ 1] 6283 ALLOW IN Anywhere (SSH) [ 2] 1053 ALLOW IN Anywhere (FTP) [ 3] 30856 ALLOW IN Anywhere (FTP passive) [ 4] 30857 ALLOW IN Anywhere (FTP passive) [ 5] 443 ALLOW IN Anywhere (HTTPS) [ 6] 80 ALLOW IN Anywhere (HTTP) [ 7] 1194/udp ALLOW IN Anywhere (OpenVPN) [ 8] 995 ALLOW IN Anywhere (POP3S) [ 9] 993 ALLOW IN Anywhere (IMAPS)  587 ALLOW IN Anywhere (STARTTLS over SMTP)  465 ALLOW IN Anywhere (SMTPS)  143 ALLOW IN Anywhere (IMAP)  110 ALLOW IN Anywhere (POP3)  25 ALLOW IN Anywhere (SMTP)  8443 ALLOW IN Anywhere (STUN)  10000:20000/udp ALLOW IN Anywhere (Asterisk)  5827 ALLOW IN Anywhere (Asterisk)  8088 ALLOW IN Anywhere (WebRTC)  8089 ALLOW IN Anywhere (WebRTC)  53 ALLOW IN Anywhere (DNS BIND)  443 (v6) ALLOW IN Anywhere (v6)  80 (v6) ALLOW IN Anywhere (v6)  995 (v6) ALLOW IN Anywhere (v6)  993 (v6) ALLOW IN Anywhere (v6)  587 (v6) ALLOW IN Anywhere (v6)  465 (v6) ALLOW IN Anywhere (v6)  143 (v6) ALLOW IN Anywhere (v6)  110 (v6) ALLOW IN Anywhere (v6)  25 (v6) ALLOW IN Anywhere (v6)  8443 (v6) ALLOW IN Anywhere (v6)  10000:20000/udp (v6) ALLOW IN Anywhere (v6)  5827 (v6) ALLOW IN Anywhere (v6)  8088 (v6) ALLOW IN Anywhere (v6)  8089 (v6) ALLOW IN Anywhere (v6)  53 (v6) ALLOW IN Anywhere (v6)